Re: [reSIProcate] Visual Studio 2005 compilation warnings of 1.4 branch

[Adam Roach <adam@xxxxxxxxxxx>]

Ares.

/a

On 12/9/08 5:31 PM, Jason Fischl wrote:
> Where are we using strcpy where Data couldn't be used? I seem to 
> recall that there were almost no uses of the unsafe c library 
> functions in resip.
>
> Jason
>
>
> On Dec 9, 2008, at 3:13 PM, Matthias Moetje wrote:
>
> > Adam,
> >
> > thanks for the explanations. A more detailed technical discussion 
> > about strncpy and strcpy_s can be found here:
> >
> > http://objectmix.com/c/706786-strcpy_s-vs-strcpy-2.html
> >
> > I would vote to move to the *_s functions and create wrappers for 
> > non-Win-platforms that are semantically identical, like for example:
> >
> >
> > errno_t strcpy_s(char *strDestination, size_t sizeInBytes, const char 
> > *strSource)
> > {
> >     // Parameter check
> >     if ((strDestination == NULL) || (strSource == NULL))
> >     {
> >         return EINVAL;
> >     }
> >     if (sizeInBytes == 0)
> >     {
> >         return ERANGE;
> >     }
> >     
> >     // Measure source string but only as long as it is
> >     // not larger than the destination buffer
> >     size_t srcLen = strnlen(strSource, sizeInBytes);
> >
> >     if (srcLen >= sizeInBytes) // '>' should never be the case
> >     {
> >         // Source string is larger than dest buffer
> >         // Overrun detected. Do not modify strDestination
> >         return ERANGE;
> >     }
> >     
> >     //
> >     strncpy(strDestination, strSource, srcLen);   
> > }
> >
> > Although this wrapper might seem a bit more complex, it can even improve
> > performance (compared to strncpy alone) when copying small strings to
> > large buffers, since strnlen stops when it finds the null terminator
> > and in this case the result of strnlen is used to limit copying with
> > strncpy. When using strncpy alone, it would pad the whole dest buffer
> > with zeros.
> >
> >
> > An advantage with this approach is that this will stronger force
> > us to check the result of the *_s functions in the code and take
> > appropriate measures which is not the case with the strn* functions.
> >
> >
> > Best regards,
> > Freundliche Grüße,
> >
> > Matthias Moetje
> > ______________________________________________
> >
> > TERASENS GmbH       Phone:  +49.89.143370-0
> > Augustenstraße 24   Fax:    +49.89.143370-22
> > 80333 Munich        e-mail: info@xxxxxxxxxxxx
> > GERMANY             Web:    www.terasens.com
> > ______________________________________________
> >
> >
> >
> > > -----Original Message-----
> > > From: Adam Roach [mailto:adam@xxxxxxxxxxx]
> > > Sent: Sonntag, 7. Dezember 2008 19:48
> > > To: Matthias Moetje
> > > Cc: Max Bowsher; resiprocate-devel@xxxxxxxxxxxxxxx
> > > Subject: Re: [reSIProcate] Visual Studio 2005 compilation warnings 
> > > of 1.4
> > > branch
> > >
> > > Matthias Moetje wrote:
> > > > The safe string functions are in fact not underscore-prefixed; at
> > > > least those not starting with 'str'. Instead they are suffixed
> > > > with '_s' which isn't really that bad. Apart from prefixes and 
> > > > suffixes
> > > > in the end there is no doubt that these functions really improve code
> > > > quality and security.
> > > >
> > > > I hope to be able to start with the function replacement in Jan
> > > > Or Feb 2009 if there are no objections.
> > >
> > > Don't.
> > >
> > > Here's what's going on with the *_s functions. Microsoft submitted a
> > > batch of "more secure" functions (such as strcpy_s) to the ISO/IEC for
> > > potential inclusion in a future version of the C standard (the draft
> > > that defines these proposed functions is here:
> > > http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1135.pdf). As far as I
> > > can tell, they have not been accepted for future inclusion yet, and
> > > there is significant push-back in the developer community against this
> > > set of functions
> > > (<http://sources.redhat.com/ml/libc-alpha/2007-09/msg00069.html>,
> > > <http://www.informit.com/blogs/blog.aspx?uk=Theyre-at-it-again>,
> > > <http://fsfoundry.org/codefreak/2008/09/15/security-crt-safer-than-standard- 
> > >
> > > library/>).
> > >
> > > In any case, these functions do not appear to have been implemented
> > > under OS X Leopard; nor is it in any of the libc versions that I can
> > > find installed by default with Ubuntu or Fedora (both glibc; see the
> > > first link in my list above). I suspect these functions have not been
> > > widely implemented outside of Redmond.
> > >
> > > For most of the string functions, you can accomplish the same security
> > > properties with C89/C99 functions like strncpy, as long as you are
> > > careful to null-terminate your destination buffer when you're done.
> > >
> > > So, if you wanted to go through and fix things to use the C89 "safer"
> > > functions (like strncpy), that would be a Good Thing -- but it's
> > > apparently not going to fix the Microsoft compiler warnings. For that,
> > > you'll apparently need to convince Microsoft to stop being so
> > > provincial. Or you can define '"_CRT_SECURE_NO_WARNINGS" in the 
> > > project,
> > > which is probably the best approach under the circumstances.
> > >
> > > /a
> > >
> > > P.S. Digging through this mess, I was pointed to an interesting
> > > development in the draft C++0x standard: "The class template 
> > > auto_ptr is
> > > deprecated. [ Note:The class template unique_ptr (20.6.5) provides a
> > > better solution.
> > > - end note ]"
> > _______________________________________________
> > resiprocate-devel mailing list
> > resiprocate-devel@xxxxxxxxxxxxxxx
> > https://list.resiprocate.org/mailman/listinfo/resiprocate-devel